Posted on Saturday, 25th June 2011 by Michael
Nettalk chooses not to protect Client’s data / Privacy
A little over a year ago Nettalk came on the scene as a competitor to Magic Jack. They were not only a competitor, but a neighbor having their corporate office located extremely close to Magic Jack’s office. Their claim to fame was you did not need to have your PC on to use their device to make calls.
Since day one there was a group of people that were dead set to find the coveted SIP Credentials that would allow them to bring their own device and not have to use the nettalk device. Magic Jack has successfully, for the most, part made this impossible for the users which drove more clients over to Net talk and other services.
Nettalk has not been so successful in blocking its users from obtaining their credentials; though until now it was only possible to obtain your own credentials. A research from West Bengal India has discovered a way to do get everyone’s credentials and has released a tool to do it.
The researches name is not 100% known. The aliases on the http://www.magicjacksupport.com forum are “vj224” and “Valavan Jabbar” is in the signature. Recently, the signature also contained the website: http://www.visva-bharati.ac.in/Rabindranath/Rabindranath.htm . It looks like the mods have edited the post as well to remove the tool and contact information. Looking at the pictures and the post: http://magicjacksupport.com/nettalk-sip-via-tftp-t10925.html It is quite easy to figure out how this person did this and how to reproduce this with a few lines of code.
The vulnerability is mostly from negligence and poor design. The researcher more than likely used a packet sniffing tool to discover vulnerability and then attempted an exploit manually.
Based on the post on the Magic Jack Support forums and the screen shots I took: An attacker can download the configuration of any Nettalk user by knowing the MAC address of the device and the last 4 digits of the device serial number; Using a simple brute force method you can quickly pull the configurations of multiple users in matter of hours, if not minutes. To speed up the attack you can find the manufacture of the Ethernet chip in the device and see what numbers they use for the start of the MAC to define that it is theirs. This will cut down the amount of possibilities you need to guess. You could even run the code in The Cloud like several password cracking tools use today.
Write up of the Researcher’s findings: http://magicjacksupport.com/nettalk-sip-via-tftp-t10925.html
Screenshots and my personal logs with dates:
On 6/24/2011 I received a LinkedIn invite from a Thomas Hutton a Senior Engineer of nettalk. Since contacting Nettak, Thomas has altered his LinkedIn profile to hide all relations to Nettalk. Through the magic of Google cache here is his profile before edit. Below the before is the after edit.
Before Edit: (Click for larger view)
After Edit: (Click for larger view)
I accepted his invite and moments later I got the following message from him accusing me of releasing this vulnerability and tool, he then continues to slander me questioning my moral and ethics. Ethics and morals is something that separates the Information Security Professional from the malicious hacker.
I like for you all to reread the first line, second sentence. Yes you read it right Nettalk knew its client’s data was vulnerable and chose to ignore the vulnerability hoping no one else would find it.
I responded to these acquisitions with the following message:
This all took place around 8:30 am EST on 6/24/2011. It is now 5:00 PM EST on 6/24/2011 and I have not received and apology from him. I have contacted Nettalk customer service and I am awaiting a response from corporate to provide them this information. If they do not respond by close of business today I feel that is my duty to inform its clients about their blatant neglect for their client’s privacy and safety.
In the meantime nettalk should turn off the tftp server or setup a filter on their firewalls / IPS to look for multiple connections from the same IP for different configuration files.
06/25/2011 - Nettalk has not responded yet to my reach out attempts. Thomas has basically changed all his Linkedin information. [RECOMMENDATION] Clients of Nettalk should keep an eye on their phone bills and their personal information. Using the SIP credentials not only can an attacker place a call they can receive calls as well. This means they can impersonate you and gather additional information to use in other unethical ways.
If you are visiting my site from Nettalk please feel free to contact me via email. Provide your telephone number and position in that email and I will be more then glad to call you to discuss this.
Based on the post on the Magic Jack Support forums and the screen shots I took: An attacker can download the configuration of any Nettalk user by knowing the MAC address of the device and the last 4 digits of the device serial number; Using a simple brute force method you can quickly pull the configurations of multiple users in matter of hours, if not minutes. To speed up the attack you can find the manufacture of the Ethernet chip in the device and see what numbers they use for the start of the MAC to define that it is theirs. This will cut down the amount of possibilities you need to guess. You could even run the code in The Cloud like several password cracking tools use today.
Posted in Blog | Comments (2)
June 25th, 2011 at 12:47 pm
As o 6/25 around 11:00 AM EST it seems the TFTP has been locked down or turned off.
April 15th, 2012 at 12:45 pm
I think there’s a tone vulnerability as well. Last week I received several unknown calls from the same number (and a few other unknown numbers as well); when I checked my call log, I noticed a pattern. 2 minutes after the first number calls, the second number would call for 2 rings then end…within 5 minutes my device would call out to that other number.
My voicemail is now indicating someone else and even when I turn off voicemail via their software, it still answers and its still the wrong voicemail box (or, as I assert, a hijacked number). So far no response from Nettalk after submitting a ticket, but interestingly, I was apparently on hold w/ tech support for 180 minutes this past week even though I made no such call (I didn’t even know the number).
This actually begs the question…if one can hijack the device by calling it, one should be able to use it to back door into a private, thought to be secure, network.